Analysis of a spy module inside a WhatsApp mod

Researchers found a spy module (detected as Trojan-Spy.AndroidOS.CanesSpy) embedded into popular third‑party WhatsApp mods that activates via app components not present in the legitimate client and communicates with C2 servers to harvest and exfiltrate device data. Infected mods were distributed through Telegram channels and multiple dubious websites, with MD5s and C2 domains published for detection. #CanesSpy #WhatsApp

Keypoints

The trojanized WhatsApp mods include additional components (a broadcast receiver and a service) absent from the official client that provide automatic launch and persistence.
On activation (boot or when charging) the receiver starts a service which chooses a C2 server using an internal constant and posts device identifiers to /api/v1/AllRequest.
The implant regularly requests configuration and “orders” from the C2 (default one-minute interval) and exfiltrates contacts and account data every five minutes.
Supported commands enable listing external-storage file paths, selective file retrieval, uploading files as ZIP archives, changing C2 servers, and recording microphone audio via the RecordSound command.
Distribution was traced mainly to Telegram channels (Arabic/Azeri) and multiple third‑party WhatsApp mod websites; infected builds date from mid‑August 2023 onward.
Kaspersky published MD5 hashes of infected APKs and a list of C2 domains and distributing websites to aid detection and takedown efforts.

MITRE Techniques

[T1547] Boot or Logon Autostart Execution – the broadcast receiver triggers a service that launches the spy module on phone startup or when charging. [‘the receiver runs a service that launches the spy module when the phone is switched on or starts charging.’]
[T1071] Application Layer Protocol – the implant uses HTTP POST requests to communicate with C2 endpoints (e.g., /api/v1/AllRequest) to send device info and receive commands. [‘it sends a POST request containing information about the device to the threat operator’s server along the path /api/v1/AllRequest.’]
[T1041] Exfiltration Over C2 Channel – files and data (contacts/accounts, external-storage files zipped) are uploaded to C2 paths like /api/v1/UploadFileWithContinue. [‘Send a file from external storage (non-system memory or a removable medium, such as an SD card) as a ZIP archive’]
[T1083] File and Directory Discovery – the malware enumerates external storage and returns file paths and names to the C2 (GetAllFileList / SaveFileNames). [‘Send paths to all files in the external storage’]
[T1123] Audio Capture – the RecordSound command captures audio from the microphone and uploads it via /api/v1/UploadSmallFile. [‘Record sound from the microphone’]

Indicators of Compromise

[MD5 hashes] Infected APKs – 1db5c057a441b10b915dbb14bba99e72, 80d7f95b7231cc857b331a993184499d, and 4 more hashes
[C2 domains] Command-and-control servers – hxxps://application-marketing[.]com, hxxps://whatsupdates[.]com, and other listed C2 domains
[Distribution websites] Sites hosting trojanized mods – hxxps://whatsagold[.]app, hxxps://watsabplusgold[.]com, and additional mod sites

The trojanized WhatsApp mods add a broadcast receiver and service into the APK manifest to achieve persistence and automatic activation: the receiver listens for system broadcasts (boot/charging) and launches the service which loads the spy module. At startup the implant selects a command‑and‑control server via an internal constant and immediately issues an HTTP POST to /api/v1/AllRequest to upload device identifiers (IMEI, phone number, MCC/MNC) and to request configuration such as upload paths and polling intervals.

The implant polls the C2 for “orders” (default every minute) and implements commands that enumerate external storage (GetAllFileList → /api/v1/SaveFileNames), filter and collect specific file types, compress and upload files as ZIP archives (/api/v1/UploadFileWithContinue), change the main C2 server, and capture audio via a RecordSound command uploaded to /api/v1/UploadSmallFile. Contacts and account information are transmitted at five‑minute intervals, and the module supports SQL‑style filters for selective file access when calling Android’s ContentResolver.

Researchers traced distribution mainly to Telegram channels and several third‑party WhatsApp mod websites, analyzed APK timestamps to identify the first infected builds (mid‑August 2023 onward), and published MD5s plus C2/domain indicators to help detection and blocking. Operators and defenders can prioritize scanning for the listed MD5s, network requests to /api/v1/* paths, and unexpected manifest components (broadcast receiver/service) in WhatsApp APKs to detect this implant.